[PATCH nft 1/2] src: generation ID is 32-bit long

[PATCH nft 1/2] src: generation ID is 32-bit long

[Pablo Neira Ayuso]

Update mnl_genid_get() to return 32-bit long generation ID. Add
nft_genid_u16() which allows us to catch ruleset updates from the
netlink dump path via 16-bit long nfnetlink resource ID field.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/mnl.h      |  2 +-
 include/nftables.h |  2 +-
 src/mnl.c          | 11 ++++++++---
 src/rule.c         |  5 ++---
 4 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/include/mnl.h b/include/mnl.h
index 9f50c3da0f3a..eeba7379706f 100644
--- a/include/mnl.h
+++ b/include/mnl.h
@@ -10,7 +10,7 @@ struct mnl_socket *nft_mnl_socket_open(void);
 struct mnl_socket *nft_mnl_socket_reopen(struct mnl_socket *nf_sock);
 
 uint32_t mnl_seqnum_alloc(uint32_t *seqnum);
-uint16_t mnl_genid_get(struct netlink_ctx *ctx);
+uint32_t mnl_genid_get(struct netlink_ctx *ctx);
 
 struct mnl_err {
 	struct list_head	head;
diff --git a/include/nftables.h b/include/nftables.h
index af2c1ea16cfb..b7c78572da77 100644
--- a/include/nftables.h
+++ b/include/nftables.h
@@ -78,7 +78,7 @@ static inline bool nft_output_numeric_symbol(const struct output_ctx *octx)
 }
 
 struct nft_cache {
-	uint16_t		genid;
+	uint32_t		genid;
 	struct list_head	list;
 	uint32_t		seqnum;
 	uint32_t		cmd;
diff --git a/src/mnl.c b/src/mnl.c
index c0df2c941d88..e0856493909d 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -108,7 +108,7 @@ nft_mnl_talk(struct netlink_ctx *ctx, const void *data, unsigned int len,
 /*
  * Rule-set consistency check across several netlink dumps
  */
-static uint16_t nft_genid;
+static uint32_t nft_genid;
 
 static int genid_cb(const struct nlmsghdr *nlh, void *data)
 {
@@ -119,7 +119,7 @@ static int genid_cb(const struct nlmsghdr *nlh, void *data)
 	return MNL_CB_OK;
 }
 
-uint16_t mnl_genid_get(struct netlink_ctx *ctx)
+uint32_t mnl_genid_get(struct netlink_ctx *ctx)
 {
 	char buf[MNL_SOCKET_BUFFER_SIZE];
 	struct nlmsghdr *nlh;
@@ -131,11 +131,16 @@ uint16_t mnl_genid_get(struct netlink_ctx *ctx)
 	return nft_genid;
 }
 
+static uint16_t nft_genid_u16(uint32_t nft_genid)
+{
+	return nft_genid & 0xffff;
+}
+
 static int check_genid(const struct nlmsghdr *nlh)
 {
 	struct nfgenmsg *nfh = mnl_nlmsg_get_payload(nlh);
 
-	if (nft_genid != ntohs(nfh->res_id)) {
+	if (nft_genid_u16(nft_genid) != ntohs(nfh->res_id)) {
 		errno = EINTR;
 		return -1;
 	}
diff --git a/src/rule.c b/src/rule.c
index 1e081c8fe862..651454733bed 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -244,8 +244,6 @@ static bool cache_is_updated(struct nft_cache *cache, uint16_t genid)
 
 int cache_update(struct nft_ctx *nft, enum cmd_ops cmd, struct list_head *msgs)
 {
-	uint16_t genid;
-	int ret;
 	struct netlink_ctx ctx = {
 		.list		= LIST_HEAD_INIT(ctx.list),
 		.nft		= nft,
@@ -253,7 +251,8 @@ int cache_update(struct nft_ctx *nft, enum cmd_ops cmd, struct list_head *msgs)
 		.nft		= nft,
 	};
 	struct nft_cache *cache = &nft->cache;
-
+	uint32_t genid;
+	int ret;
 replay:
 	ctx.seqnum = cache->seqnum++;
 	genid = mnl_genid_get(&ctx);
-- 
2.11.0

[PATCH nft 2/2,v2] rule: ensure cache consistency

[Pablo Neira Ayuso]

Check for generation ID after the cache is populated. In case of
interference, release the inconsistent cache and retry.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
v2: rebase on top of "32-bit long generation ID" patch.

 src/rule.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/rule.c b/src/rule.c
index 651454733bed..e570238a40f5 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -251,7 +251,7 @@ int cache_update(struct nft_ctx *nft, enum cmd_ops cmd, struct list_head *msgs)
 		.nft		= nft,
 	};
 	struct nft_cache *cache = &nft->cache;
-	uint32_t genid;
+	uint32_t genid, genid_stop;
 	int ret;
 replay:
 	ctx.seqnum = cache->seqnum++;
@@ -272,6 +272,13 @@ replay:
 		}
 		return -1;
 	}
+
+	genid_stop = mnl_genid_get(&ctx);
+	if (genid != genid_stop) {
+		cache_release(cache);
+		goto replay;
+	}
+
 	cache->genid = genid;
 	cache->cmd = cmd;
 	return 0;
-- 
2.11.0